Oracle ordered to blitz users with Java security warnings

What's worse than stale coffee? Stale Java, says the US Federal Trade Commission.
Written by Liam Tung, Contributing Writer

Oracle has been ordered to warn users if they're running an outdated version of Java SE, under a settlement with the US Federal Trade Commission (FTC).

The agreement settles claims by the FTC that Oracle deceived users when telling them their computers would be "safe and secure" if they updated Java. While updating software usually affords protection, Oracle failed to inform users that, when multiple versions of Java SE were installed, older versions would remain on the computer. This outdated software then offered a ripe target for hackers.

Oracle acquired Java as part of its 2010 purchase of Sun Microsystems, giving it a runtime that is installed on billions of machines and around 850 million PCs. Java became a popular target for hackers due to its wide distribution and a steady stream of bugs that left machines exposed to hackers and exploit kits.

Security firms have long warned that outdated Java software leaves enterprise and consumer systems vulnerable to attack. Previous Java zero-day bugs have also prompted warnings by the US government to disable Java in the browser. A Java zero-day flaw was how state-sponsored attackers hacked Apple and Facebook employees in 2013.

Announcing the settlement with Oracle, the FTC noted that Oracle failed to rectify the incomplete processes for uninstalling Java during updates until August 2014. It also alleged that Oracle was aware of its flawed update process in 2011.

"While Oracle did have notices on their website relating to the need to remove older versions because of the security risk they posed, the information did not explain that the update process did not automatically remove all older versions of Java SE. The updates continued to remove only the most recent version of Java SE installed until August 2014," it said.

Oracle is now bound to an order that demands it "notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it".

The company will also have to publicise the terms of the settlement on its website and via social media.

Under the terms, Oracle must, within 10 days of agreeing to the settlement, post on Twitter and Facebook a message that states: "IMPORTANT INFORMATION REGARDING THE SECURITY OF JAVA SE" and a link to a letter explaining why it was sued by the FTC.

And if Oracle's message doesn't reach consumers, the FTC is running its own Java alert campaign starting with its blog, titled "What's worse than stale coffee? Stale Java", which offers a non-technical explanation of the risks Oracle exposed them to.

More on Java security

Editorial standards